Analytics steps up to meet evolving cybersecurity threats

by Daniel Teachey, SAS Insights Editor

Cyberattacks are becoming a standard part of the news cycle. With organizations facing an increasing set of threats from more venues, I talked with Stu Bradley, Sr. Business Director of Security Intelligence at SAS, about the role of analytics in the evolving cybersecurity world.

What are the potential consequences of a cyber breach?

It really depends. An organization’s brand could become tarnished. Customers may also stop doing business with that company. There could also be deep financial consequences from fines, penalties, and class-action lawsuits. In some cases, an organization may lose its competitive edge, particularly when trade secrets are stolen. In the most extreme case, a city or country’s critical infrastructure or defenses may be threatened by a cybersecurity breach.

Analytics should be performed in real time to give the organization immediate situational awareness that allows it to take fast action and mitigate any potential risks.

It seems like every week brings another high-profile cybersecurity breach – and even the White House isn’t immune. Why are these breaches becoming commonplace?

Cybercrime continues to grow at an alarming rate, and I think we’ll see that continuing. Before you can protect data, you have to know where sensitive data is. For many organizations, that often sounds easier than it is. With the growth of the Internet of Things (IoT) and bring your own device (BYOD) policies, there are so many additional ways into an organization’s network. The volume and variety of devices connected to the network, plus the extension of network to third-parties like contractors and partners, gives attackers more entry points than before. Organizations are only as secure as their weakest link. Plus, you can’t overlook human error and carelessness. That’s something that will always be an easy target for hackers.

Insider threats seem to be the most common tactic. How are cybercriminals infiltrating networks and data “from the inside?”

Even though we’ve all known about phishing scams for several years, it’s still a very popular and successful way to get into an organization’s network. Attackers also have a variety of methods for gaining access to credentials. When one method doesn’t work, they try something else – it’s always evolving. In addition to compromising unknowing individuals, I think we’ll see more cybercriminals working directly with organizational insiders to gain knowledge of network defenses and sensitive data for more efficient execution of attacks.

Historically, firewalls, encryption and other traditional, or niche, security methods have been employed, but they don’t seem to be good enough. How does analytics help in combating cyber threats?

These legacy capabilities are an important part of any security strategy, but they're geared towards solving a narrow and specific problem. These individual solutions don't integrate data, and thus don't create the necessary context at an enterprise level that's required to better mitigate cyber risk. In addition, many traditional methods are based on rules or signatures and only prevent against known threats. With attacks constantly evolving, these technologies aren’t always going to be successful in keeping an attacker out of the network or sensitive data from leaving. What’s needed is something that can capture that in-between phase, when the attacker is in the network gathering information. This is where behavioral analytics monitoring the network in real time can play an important role.

For many large-scale cyberattacks, organizations could only detect them after they happened. Is there a way to find them before they wreak havoc?

In many of these large-scale cyberattacks, attackers were in the organization’s network for weeks or months. Behavioral analytics – particularly those that understand not only network interactions but the business relevance of those interactions – can help find those movements and patterns that may indicate malicious activity. The analytics should be performed in real time to give the organization immediate situational awareness that allows it to take fast action and mitigate any potential risks that arise.

Technologies that monitor for cyberattacks generate a high volume of alerts from different systems that can’t all be analyzed manually or together. Is there a way to prioritize the high-risk alerts?

That’s really the problem with many technologies today. There’s no easy to way to tell if the alerts that bubble up should truly be the highest priority alerts. So, security analysts often must do manual work and/or investigate more alerts than they might truly need to otherwise – which takes valuable time away from finding the real threat. Even with SIEM and other solutions that aggregate alerts and enterprise information, the analytic capabilities are not robust enough or deployed in the required timeframes to best mitigate threats. Dumping, then analyzing, data has not proven to be effective in proactively mitigating risks.

How can big data analytics help with uncovering cyber threats?

With big data solutions, organizations now have the technology to use information in timeframes and ways not possible in the past. Behavioral analytics and frameworks like Hadoop can help improve security at a much faster rate. The speed and complexity of the analytics can be optimized across the real-time, “near-time” and “any-time” continuum for better situational awareness using streaming, in-memory, and high performance analytics. Ultimately, big data analytics can help organizations learn more about attackers’ activities than attackers know about organizations’ networks. These solutions can provide an essential layer of cyber defense to help organizations see connections that might otherwise be missed by siloed analysis of product log files or partial data analysis.